#01: What about (y)our privacy?

In the Netherlands it is not unusual that all data is seized during a house search by the Financial Intelligence Unit or the ‘tax police’ (FIOD) in a criminal investigation. All data in the sense that an image of the server(s) or the (personal) computer is made and that all data storage devices are seized. Just imagine that the people who search your house seize your SD-cards with family pictures of last Christmas as well as the IPads of your children with their favorite games and homework stored on it. Perhaps even your corkscrew will be seized because your ‘unwanted guests’ believe it is actually a USB-stick. Without blinking an eye the investigators seize everything while they have no idea what information is actually on the devices. And when the seizure is enacted based on a request for mutual assistance the public prosecutor and even investigating judges are simply executing their assignment and want to send all seized data to the country which requested them to do so. In practice the investigators and the public prosecutor seem to not even take a look at their ‘catch’ or filter the information for relevance. They – seem to – believe it is up to the other state to invest what data is relevant for their criminal investigations. But what about (y)our privacy?

In the Netherlands a house search can be conducted by the (tax)police with a formal authorization of an investigating judge (article 110 of the Criminal procedural Code). According to the law an investigating judge should be present during the search but in practice the investigating judge is present during the start of the search, after which he leaves and will remain available by phone if necessary. A search of a company premises can be authorized by a public prosecutor (article 96c of the Criminal procedural Code). The prosecutor is in that case not obliged by law to request authorization from an investigating judge. In both cases it is possible to file a complaint after the search against the search and seizure (article 552a of the Criminal procedural Code). However the judge decides upon the complaint by judging whether it is reasonable. In relation to searches and seizures in respect to a foreign request for mutual assistance a judge has to approve after the search which information will be released to the requesting State (article 552p of the Criminal procedural Code). However, in both procedures little attention is paid to (y)our right to privacy in the sense of article 8 of the European Convention for Human Rights (the Convention). It is our opinion that the right to privacy in the Dutch procedure is not guaranteed.

Article 8 (2) of the Convention states:

“There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

How should this right be protected when data is seized for a criminal investigation?

We believe we do not have to dwell on the fact that a search and seizure creates an interference to your private life. The European Court for Human Rights (the Court) decided in Niemietz v. Germany that this may extend, for example, to a professional person’s office. Since the interference is an infringement it can only be qualified as rightful when this interference is in accordance with the law. It has to have a legitimate aim and it has to be necessary in a democratic society. A lot of jurisprudence on these criteria has been produced over the years. In the Netherlands some interesting case-law was published regarding the criteria ‘in accordance with the law’. In a recent case the defense argued that a warrantless search and seizure of digital contents of a smartphone during an arrest was not in accordance with article 8 of the Convention, since this infringement was not in accordance with the law, since the law must be adequately accessible and foreseeable. When article 94 of the Criminal procedural code was drafted – on which ground the smartphone was searched- it was not foreseen that technology would develop in such a way that a smartphone would result in having a personal computer in our pockets. For this reason it was not foreseeable that a policeman would be allowed to search data on this smartphone without a court order. The Higher Court decided that indeed article 94 of the Dutch Criminal procedure Court created some base to conduct research on a seized object, but does not give concrete criteria by which this research is bound. This unlimited investigating power creates an infringement of article 8 of the Convention. The arguments of the defense before the court in the Netherlands were based on a decision of the United States Supreme Court – Riley v. California – in which the Court unanimously held that the warrantless search and seizure of digital contents of a smartphone during an arrest is unconstitutional. The Supreme Court clearly sets out the degree of privacy a digital device can have:

“Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life.” The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought. Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple – get a warrant.”

If a search and seizure is in accordance with the law the most relevant question is whether the seizure of all data is proportional in relation to the legitimate aim and thus whether it is necessary in a democratic society. We will give you a few examples.

In the case of Robathin v. Austria  a law office was searched and data(devices) were seized. The investigators who conducted the search copied all files – which contained information about various clients of the firm – from the applicant’s computer to discs while the criminal investigation was related to one specific case. The Austrian national Court decided that all digital data could be reviewed by the investigators. The European Court however noted that the Austrian Court did not explain or motivate why all data could be reviewed by the investigators and therefor considers the following:

“In particular, it did not address the question whether it would be sufficient to search only those discs which contained data relating to “R.” and “G.”. Nor did it give any specific reasons for its finding that a search of all of the applicant’s data was necessary for the investigation. Thus, the way in which the Review Chamber exercised its supervision in the present case does not enable the Court to establish that the search of all of the applicant’s electronic data was proportionate in the circumstances.”

The Court concludes there has been a violation of article 8 of the Convention since the seizure and examination of all data went beyond what was necessary to achieve the legitimate aim.

In the case of Vinci Construction and GMT genie civil and services v. France inspections and seizures were carried out by investigators from the Department for Competition, Consumer Affairs and Fraud Prevention on the premises of two companies. The applicants stated that the seizures had been widespread and indiscriminate, because several thousand electronic documents were seized of which many were not connected to the investigation or were confidential and protected by legal professional privilege. In this case the Court considered that the seizures had not been “widespread and indiscriminate”, since the investigators had attempted to restrict their searches. Also a copy of the seized files and a sufficiently detailed inventory had been handed over to the applicants. Although no violation of article 8 was established, this decision shows that the investigators should make an effort to minimize their searches and seizures. Moreover, (at least) a sufficient inventory should be made of the collected data. We believe that it is not sufficient if the inventory list just states that a computer has been seized; the investigators should specify what (kind of) data is on the seized computer.

Last we want to bring the case of Prezhdarovi v. Bulgaria to your attention. In this case the police searched Mr Prezhdarov’s computer club which was located in a garage he owned with his wife. Mr Prezhdarov ran the club with his wife, renting the computers to clients. The inspection was ordered by the prosecuting authorities that the couple had installed games on the computers they rented to their clients without the obliged software licenses. During the inspection, five computers were seized containing computer programs, computer games and films. The applicants stated that the search of their computer club and the seizure of their five computers had been both unlawful and unnecessary. They complained in particular that the seized computers contained private correspondence and personal information which was not related whatsoever to the criminal proceedings against Mr Prezhdarov. The Court considered in this case that although the applicants complained multiple times about the fact that the computers contained personal information and that the national Court did not consider this argument. The Court concluded:

” While the Court accepts that, as a matter of principle, the retention of the computers for the duration of the criminal proceedings pursues the legitimate aim of securing physical evidence in an ongoing criminal investigation (see, mutatis mutandis, Atanasov and Ovcharov v. Bulgaria, no. 61596/00, § 70, 17 January 2008), the lack of any consideration of the relevance of the seized information for the investigation and of the applicants’ complaint regarding the personal character of some of the information stored on the computers rendered the judicial review formalistic and deprived the applicants of sufficient safeguards against abuse.”

 Hence, the Court decided that if a person complains in a national procedure against the seizure of a device because it contains personal information which is not relevant for the criminal investigation, the Court  has to take notice of this complaint, review the complaint and decide upon it.

In our view the Dutch practice does not comply with our right to privacy and the way the European Court of Human Rights has set the rules about when this right can be infringed. Too easily data devices are seized an copied without considering the specific data on it. We are curious about the practice concerning this issue in your country. How is data seized and searched through? And who (effectively) examines whether there has been a violation of article 8 of the Convention?